Is your software GDPR ready? #3 – Locating your data

Where is your data actually located?

This one will apply if you use, or if you’re thinking of investing in, cloud software or storage services.

We’re so used to buying into this idea of the ‘cloud’ as if it’s somewhere untouchable and almost, quite literally, in the air – but actually, all it really means is your data is stored on a server that’s not on your premises and the hardware is not managed directly by you.

As dreamy as it is to think of all that data floating around in a protected extra dimension up in cyberspace, unfortunately, it’s all very much down to earth and subject to GDPR.

Why? Because how and where you store your data comes under scrutiny under GDPR, as defined in the 6th principle that states that data must be processed and stored “using appropriate technical or organisational measures”.

Basically, under GDPR, neglecting scrutiny on your data hosting providers can leave you in as bad a position as if you left your filing cabinet full of customer information open on the shop floor under the Data Protection Act.

Keeping your cloud services GDPR compliant

The question you need to ask of your cloud service providers is: where are their data centres and who manages them?

Any good software or app provider will be upfront about this, and even where they use reseller or mediated hosting services to provide cloud hosting to you – such as Microsoft Azure or Amazon Web Services – they will be happy to tell you which country or territory their data centres are in and who manages them.

Your providers should also be able to tell you what – if any – additional processes, accreditations and or standards they have in place for managing their data centres and servers. A great example of this can be seen on Mailchimp’s page about how they protect the security of your data.

Importantly, if you use any plug-ins on your website to process personal data (for example, your ‘contact us’ forms), you will want to look into whether they use any cloud servers as well – looking at the providers’ Terms & Conditions or Privacy Notice on their website is a good place to start.

You’ll also want to check whether your service providers are meeting their own obligations under GDPR – for example, whether they have registered with a relevant regional supervisory office as data controllers. In the UK, where the supervisory agency is the Information Commissioner’s Office, it’s really easy to search the register of data controllers with just the company’s name.

Although it might seem like this can cause more headaches – when, after all, you’ve already bought, or you’re looking to buy, software in order to solve some headaches – ultimately, the data you’re handing over belongs to you, and you are responsible for choosing the right cloud service providers to look after it on your behalf.

Why the benefits of cloud services with GDPR still outweigh the risks

With the right cloud services provider in place, the benefits to your ongoing GDPR compliance can far outweigh the risks. First and foremost, you’ll get the benefits of saving the time, resource and money required for looking after physical servers on your premises: your cloud servers will always be kept up to date with security patches and software updates (and you will save on the cost of replacement at the end of life).

Secondly, you will have the confidence in the ongoing security and care of your software and data by knowing that the servers are managed effectively and properly to the expectations set out by GDPR.

This isn’t to say that, even with the right cloud service providers in place, you can guarantee that there won’t be any breaches or problems in the future – threats to cyber security are ever-growing and changing at an astonishing rate.

However, it does mean that in the event that your data is compromised through your cloud service providers, you will be able to demonstrate that you made an informed decision when you chose to use them and have therefore done your part in meeting the principle of data protection by ‘design and default’.